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operation screens of respective computers as a history when the communication data are accessed or 
copied. 
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whether or not the label is forged (S1 14). Further the secrecy level is decided on the basis of the label 
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S130. and S131). 
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[Title of the Invention] 

METHOD AND APPARATUS FOR MONITORING COMMUNICATION DATA 
[Abstract] 

[Problem] A system administrator of an intrainet has the 
10 following problems in circulating content in the intranet. 

(1) Restriction of circulating contents out of contract 
without permission; 

(2) Restriction of copying of contents without permission. 
[Solving Meeuis] (1) Controlling circulation of contents within 

15 a network by providing a label unique to a business enterprise. 

(2) Recording an operation screen image in copying content 
and mug-shot of a user as history. 

(3) Especially, method and administration mode for recording 
the history of (2) are determined depending upon the kind of 

20 the label of (1) . 

[Scope of Claim for a Patent] 

[Claim 1] A communication data monitoring method for a 
plurality of computers connected to a network, comprising the 
steps of transferring communication data said a label relating 

25 to said commiinication data between said computers , and making 
reference to said label and making judgment of security level 
of said commiinication data, wherein said method further 
coznprises a step of detecting an effective security level 
within a range of said computers or said network on the basis 

30 of said label, a step of accessing or copying the communication 
data, coid a step of recording a mug-short of an operator or 
an operation screen image of each coznputer as history. 
[Claim 2] A firewall for temporarily storing communication 
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data flowing bet:ween networks setting mutually different 
security levels, which is used by a computer connected to the 
network having a higher security level as a commxinication data 
accumulation apparatus , comprising means for adding a label 
5 indicative of an attribute of a security level to the 
communication data received from a network having a lower 
security level, and means for deleting said label from the 
communication data to be transmitted to the network having 
lower security level . 

10 [Claim 3] A communication data monitoring apparatus 
connected to a plurality of conputers via a network, and 
presenting operation history of access and copied 
communication data in said computers to aji auditor, comprising 
key generating means for generating a public key of the auditor 

15 and trainsmitting to said computer, history accijmulating means 
for accumulating encrypted operation history of mug- shot of 
the operator and screen image content, and history decrypting 
m.eans for decrypting the operation history by a secret key of 
the auditor. 

20 [Claim 4] A communication data monitoring apparatus 
connected to a plurality of computers via a network, and 
presenting operation history of access and copied 
communication data in said conputers to an auditor, comprising 
rule setting means for recording a security level attached to 

25 the commimication data cuid a correspondence table of monitoring 
rule, and security judgment means for retrieving said 
correspondence table in response to an inquizry of each computer 
and returning necessity/un-necessity of obtaining of history 
relating to said commxinication data. 

30 [Claim 5] A communication data monitoring method as set 
forth in claim 1 , further comprising a step of displaying an 
advisory message indicating access prohibit of communication 
data on an operation screen of the computer upon non-detection 
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of the IcQDel indicative of a security level . 

[Claim 6] A communication data monitoring method as set 
forth in claim 1, further comprising a step of decrypting the 
label and communication data by an independent encryption key 
5 of each user or each computer. 

[Claim 7] A firewall as set forth in claim 2, further 
comprising means for accumulating the communication data 
transmitted from a computer of the network having a lower 
security level , and including label attaching means holding 

10 an encryption key enabling at least one computer and at least 
one user of a network having a higher security level to decrypt, 
for encrypting data combined by communication data and the 
label by using said encryption key to encrypt the label. 
[Claim 8] A firewall as set forth in claim 2, further 

15 comprising means for accumulating encrypted data transmitted 
from a computer of the network having a higher security level , 
including leibel attaching means holding a decryption key for 
decrypting the encrypted data, for decrypting cipher data in 
which the communication data and the label are contained by 

20 using said decryption key to separate said communication data 
and said label, and means for accumulating history of sending 
said communication data to a network having a lower security 
level according to a security label. 

[Claim 9] A portable card to be connected to a computer for 
25 receiving communication data and a label where a plurality of 
computers and a firewall are connected via a network, eund for 
use in decrypting encrypted communication data and a label, 
wherein encrypting keys generated in session with firewall 
independently per user and security label are accumulated. 
30 [Detailed Description of the Invention] 
[0001] 

[Technical Field Pertinent to the Invention] The present 
invention relates to a technology for certainly maintaining 
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security of commvinication data In a computer network. 
[0002] 

[Prior Art] According to spreading of tlie Internet and 
intranet, the following problems are caused upon coimauni eating 
5 prograoa (hereinafter referred to contents) , such as so-called 
multimedia data, software and so forth through a networlc. 

[0003] (1) Copies of contents by unspecified number of users: 
By computers (personal computers) at a terminal end of flow, 
content can be easily copied. Furthermore, since an owner 
10 cannot monitor the condition of end PCs, it is difficult to 
claim for intellectual property right - 

[0004] (2) Charge incurred upon using content: 
Pay-later system in which a user may pay the charge only after 
use of the content, not at a stage at which the owner having 
15 the right for charging sends out the content. However, 
similarly to the problem (1) , since the owner cannot monitor 
the condition of the end PCs, it is difficult to charge the 
accoxint to the user. 

[0005] As ein approach for these problems, a system and 
20 apparatus of super-distribution are designed so that an owner 
circulates content attaching own information as an electronic 
label and a user pays for the charge to the owner indicated 
on the label depending upon a use amount of the content. 
Super-distribution has been disclosed in Ryoichi MORI, Seiji 
25 KAWAHARA and Yasiihiro OTAKI "Super-distribution: Electronic 
Technology for Processing of Intellectual Property Right" , 
Information Processing Society of Japeui, Vol. 37, No. 2, 
February 1996. 
[0006] 

30 [Problem to be Solved by the Invention] However, in the Icnown 
art, there are following unsatisfactozry points for the provider 
(enterprise) of an intranet and a system administrator. 
[0007] (1) Circulation of contents without permission can not 
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be restricted. 

The system administrator provides a server device accumulating 
contents by installing the contents using a portable medium, 
such as CD-ROM, DVD or downloading using a communication 
5 program, such as FTP, WWW or the like. A general user uses the 
content by accessing to the server device. 

[0008] However, it is possible that the general user loads the 
content without permission of the owner to circulate in a 
network . 

10 [0009] At this time, by loading the contents out of designing, 
a resource of the computer , such as a hard disk , a network axidi 
so forth can be wasted to hinder businesses. Otherwise, 
invasion of virus in the network may cause economical damage 
of data destruction. 

15 [0010] The system administrator is required to prove to a 
provider that a user does not circulate contents without 
permission. 

[0011] (2) Activity of copying contents without permission can 
not be restricted. 

20 Between an owner and an enterprise, a site licensing contract 
is established for penaitting copying contents only for use 
in the computers connected to the internal network of the 
enterprise . The owner may certainly receive a charge for the 
contents from the enterprise . The enterprise may eliminate use 

25 charge and load for administration of the contents by 
estedDlishing a bulk contract. 

[0012] However, it is possible that a general user copies the 
contents without permission of the system administrator or the 
owner and uses them in the network or computer out of contract . 
30 In such a case, when abusing comes into the light, the owner 
may sue the enterprise for violation of contract. 
[0013] The system administrator is required to prove to the 
owner that a user has not copied contents without permission. 
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[0014] 

[Meems for Solving the Problem] In order to accomplish the 
cdDove-mentioned objects, an effective security level within 
a range of said computers or said network is detected on the 
5 basis of the label , and upon accessing or copying communication 
data, a mug-short of an operator or operation screen image of 
each computer is recorded as history. 

[0015] Particularly, when the security level is detected, 
(1) an advisory message indicating access prohibit of 
10 communication data is displayed on the operation screen of a 
computer upon non-detection of the label indicative of security 
level . 

[0016] (2) A ledDel encrypted by the firewall or the lilce is 
decrypted by bxi independent decryption key per user or 
1 5 computer . 

[0017] The foregoing is desirable. 

[0018] A monitoring apparatus is provided on the network. 
[0019] The monitoring apparatus is preferably an apparatus 
comprising key generating means for generating a public key 

20 of cin auditor and transmitting to said computer, history 
accumulating means for accumulating history encrypted for each 
computer by using the ptiblic key of the auditor, cund history 
decrypting means for decrypting operation history by a private 
key of the auditor. 

25 [0020] The monitoring apparatus is provided on the network. 
[0021] The monitoring apparatus is desirably an apparatus 
comprising rule setting means for recording a correspondence 
table between a ledDel indicating security attached to the 
communication data and a monitoring rule , and security judgment 

30 means for retrieving said correspondence table in response to 
an inquiry of a computer and returning necessity/un-necessity 
of obtaining of history relating to said communication data. 
[0022] On the other hand, a firewall provided on the network 
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premised to the foregoing label control has means for attaching 
a label indicative of attribute of a security level to 
communication data received from a network having a lower 
security level, and means for deleting said label from the 
5 communication data to be transmitted to a network having a lower 
security level , 
1 0023 ] Particularly , 

(1) There is held an encryption key enabling at least one 
computer and at least one user of a network having a higher 
10 security level to decirypt, and data combined by communication 
data and a la^Del is encrypted by using said encryption key to 
encrypt the label . 

[0024] (2) There is possessed a decryption key for decrypting 
encrypted data in which communication data and a label are 

1 5 contained by using said decryption key , said communication data 
and said label are separated for deleting the label , and history 
for sending said coromxinication data to a network having a lower 
security level is accumulated depending upon a security label . 
[0025] The foregoing is desirable. 

20 [0026] On the other hand, a portable card for label -decrypting 
is used in each conputer. 

[0027] In the portable card, it is desirable that encrypting 
keys are accumulated independently per user and security label 
to be used upon decrypting the label and the communication data 
25 encrypted by a firewall. 
[0028] 

[Mode for carrying Out the Invention] Embodiments of the 
present invention will be discussed in detail with reference 
to the drawings . 

30 [0029] Fig. 1 is a flow diagrsun of a content monitoring method 
in a computer to which the present invention is applied. 
[0030] In Fig. 1, 111 denotes a process for extracting a led3el 
from a content, 116 denotes a process for making judgment of 
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a security level of the content on the basis of the extracted 
lc±>el , 121 denotes a process for detecting copying operation 
of the content by a user, 122 denotes a process for recording 
an operation screen image. It is characterized by making 
5 judgment whether history (operation screen image or mug-stop 
of the user) is to be recorded or not depending upon a security 
level . 

[0031] Fig, 2 is a block diagreaa showing one embodiment of a 
firewall attaching the label of the present invention. 

10 [0032] In Fig. 2 , 231 denotes a program for attaching the label , 
232 denotes a program for encrypting communication data 
together with the label, 241 denotes a program for revoking 
the label, and 242 denotes a progreua for decrypting the label. 
The firewall 210 is connected to networks having different 

15 security levels, and is characterized by encrypting 
communication data transmitted from a network having a lower 
level, and decrypting communication data trauismitted from a 
network having a higher level . 

[0033] Fig. 3 is a block diagrsua showing a construction for 
20 encrypting operation history recording by the present 
invention, transmitting it to a server for an auditor and 
accumulating it. This embodiment is one using an asynchronous 
encryption method in which cm encryption key and a decryption 
key are different. 
25 [0034] In Fig. 3, 361 denotes a key (generation) distribution 
program for (generating a public key 321 and a private key 322 
of an auditor) and distributing the public key 321 to each 
computer recording the history. N\imeral 362 denotes a progrsua 
for accumulating operation history 324 of each computer, 363 
30 denotes a program for decrypting the operation history 324 ouid 
presenting to the auditor. In Fig. 3, it is characterized by 
keeping secret of business by encryption at each computer cuid 
send it to an auditor sever, auid giving guarantee for privacy 
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of the user . 

[0035] Fig. 4 is a block diagram showing a construction of one 
embodiment in which led^el judgment is implemented by an 
independent content monitoring apparatus on a network. 
5 [0036] In Fig. 4, 413 cuid 463 are encryption communication 
means, 462 denotes judgment means, 460 denotes a rule table 
indicating presence/absence of rules recording of labels and 
operation screen images. In this example, a label is once 
decrypted by each computer, encrypted using another encrypting 
10 program 413, and sent to a content monitoring apparatus 451 
for label judgment. It is characterized by returning the 
result of judgment for necessity of recording of operation 
history on the basis of the rule table. 

[0037] Fig. 5 and subsequent drawings are explcuiatory 
15 illustration showing an apparatus and a procedure relating to 
the present invention. 

[0038] Fig. 5 is a flow diagram showing a procedure for 
detecting the label in each computer. 

[0039] Fig. 6 is a block diagram showing an arrangement of 
20 programs for generation and separation of the label in the 
computer and the firewall. This embodiment is characterized 
by solving data combined by the label and the communication 
data and encrypted (encapsulated) . 

[0040] Fig. 7 is a flow diagram showing a procedure for 
25 decrypting communication data encrypted in a firewall by each 
computer. The shown embodiment is one exnploying ein 
asynchronous encryption method in which an encryption key and 
a decryption key are different. 

[0041] In Fig. 7, 704 denotes a step of using a pxablic key 
30 registered in a firewall for cdDsence of a public key 
preliminarily registered for each user or each cosputer, 714 
denotes a step of attaching a self-decryptable piablic key, 
re- transmitting it to the firewall, and requesting re- 
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encryption, when decrypting is not possible in each computer. 
[0042] Fig. 8 is a flow diagram showing a procedure for 
inspection of comm\inication data encrypted by each computer 
as to whether decrypting is possible or not in the firewall. 
5 804 denotes a step of using the piiblic key registered for the 
firewall since there is no public key at a commxinication 
destination of a network having a lower security, and 814 
denotes a step of sending a request when decrypting is not 
possible in each computer. 

10 [0043] Fig. 9 is a block diagraan showing a construction of each 
computer, especially, a construction in a case where a portable 
card is used for key management for encrypting communication 
data. A card 921 incorporates the public key 921 of the 
firewall and. an encryption key 922 of a user . The exeuxtple shows 

15 one embodiment of an exchanging method of a session key in which 
synchronous encryption algorithm andi asynchronous encryption 
algorithm are mixed. 914 denotes a device for reading the card 
921. 

[0044] On the other hand, 913 denotes a digital Ceuaera. It 
20 is intended to record not only an operation screen image 930 
of a CRT 912 but also a mug-shot of an operator, simultaneously. 

[0045] This embodiment will be discussed in detail with 
reference to the foregoing drawings . 

[0046] Concerning a procedure for detection the label, 
25 discussion will be given with reference to Figs. 1, 2 and 5. 
[0047] Fig. 2 is an illustration for explaining overall 
construction of a system utilizing the label. 
[0048] A computer 201 is connected to a network 202 having a 
lower security level (for example WAN) , a computer 203 is 
30 connected to a network 204 having a higher security level 
(internal IAN) as compared with 202 . A firewall 210 is present 
between 202 and 204. To the firewall 210, a texoporary storage 
device 211 (for exeuiple, a magnetic disk, a flash memory) is 
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connected for storing the following programs, data, keys and 
so forth. 

[0049] There is shown a manner of attaching or deleting a label 
241 by the firewall 210 upon transmitting/ receiving 
5 communication data from the computer 201 to the computer 203 . 
[0050] The firewall 210 performs process of distributing, 
passing and bloclcing and so forth of the communication data 
depending upon security of each communication data. 
Specifically, to the communication data flowing through 204, 

10 a label indicative of security is attached, and in the computer 
203, access control is performed using the label. In the 
firewall 210, means 231 for attaching a label to communication 
data flowing from 202 to 204 and means 241 for deleting the 
label from the communication data 220 flowing from 204 to 202 

15 stay resident. 

[0051] Particularly, it is desirable to provide a label 
encrypting function for preventing dishonest alternation of 
the label 241 on the computer 203 or the network 204 , electrical 
interception. Encrypting means 243 is cooperated with the 

20 attaching means 231 and decrypting meeuis 242 is cooperated with 
revoking meauis 241. In the shown embodiment, an example using 
asymmetric encryption will be discussed hereinafter for 
simplification of disclosure. 

[0052] The encrypting means 243 of the computer 203 and the 
25 decrypting means 242 of the firewall, and the decrypting means 

233 of the computer 203 and the encrypting means 242 of the 
firewall are respectively corresponding encrypting and 
decrypting programs , respectively. Numerals 230, 240, 244 and 

234 are keys to be used in encryption and decxryption. A label 
30 encrypted by the public key 230 of the firewall 210 is decrypted 

by the private key 234 of the con^suter 203 . A label encxrypted 
by the public key of the computer 203 is decrypted by the private 
key of the firewall 210. 
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[0053] In the shovm exx±>odlment , It Is desirable to provide a 
correspondence tcible defining a relationship among an address 
(such as IP address, MAC address) of a sender/ receiver of 
information data 220, a kind (for exan^le, port nximber, news, 
5 FTP, HTTP cuid so forth) of service, attribute information of 
the user ID of the sender/receiver and the label 221. By 
providing plural corresponding ledDels, it is possible to 
perform fine control . 

[0054] In view of the system construction of Fig. 2, a flow 
10 of a content monitoring method in the computer 203 will be 
discussed with reference to Fig. 1. 

[0055] Communication data 230 attaching the label 231 is 
downloaded from the firewall 210 (110) . If encrypted, the 
label is extracted in a given format including decrypting 

15 operation (111) . If the label cannot be extracted (112) , error 
process at 140 and subsequent steps is performed. The contents 
of the label, such as a type indicative of security, an available 
range are read to make judgment whether the label is falsified 
one or not on the basis of digital signature given together 

20 with encryption (114) . Furthermore, on the basis of the label, 
a security level is judged (116) • Particularly, when the 
judgment cannot be made by a local machine, an inquiry is made 
to a label monitoring server (462 discussed later) on the 
network for retrieving a relationship between the described 

25 label and the security level (designated according to a 
security standard) (115, 130, 131) . 

[0056] When the security level Ccui be judged cund.when data 
is judged to have a level requiring collection of history (for 
example, higher than or equal to a Bl level under a typical 
30 security standard TCSEC) , monitoring is started (117) . For 
exeunple, by inputting through a keyboard, a mouse or the like, 
interactive operation on the screen for the downloaded 
communication data is performed. By performing operation 
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relating to transmission to an external system (such as by 
e-mail, FTP) or to copying on a local portable mediiim (for 
example, a magnetic disk, a hard disk) , a system function 
defined by OS, such as calling of Winsock or File I/O in case 
5 of Windows for example, is detected (121) . In the alternative, 
at every given period, such as every one minute (125) , an image 
or Bitmap of the operation screen is recorded in a file (122) . 
It should be noted that when a digital camera for picking up 
an image of an operator is connected to 203, the history can 

10 be recorded more effectively by recording simultaneously with 
the screen operation. When a program for performing operation 
relating to the downloaded commiinication data is terminated 
(124) . If not, the process returns to step 121 (123) . 
[0057] Discussion will be given for error process (140, 141) 

15 relating to judgment of a security level using a label. When 
the label cannot be extracted or label is falsified one, an 
alarm indicating the contents is abusive content is displayed 
to a user to require judgment whether to terminal or continue 
(140). If the user selects "terminate", access to the 

20 downloaded communication data is terminated (141) . 
"Continue" is selected, it is regarded that the user agreed 
to take operation history to advance the process to step 120 . 
[0058] Label extraction process 111 in Fig. 1 will be discussed 
in detail. Particularly, concerning circulation of content, 

25 one embodiment of encapsulation using encryption will be 
discussed with reference to Figs . 5 and 6 . 

[0059] Corresponding to the extraction process, label 
attaching process in the firewall 210 will be discussed. 
[0060] In Fig. 6, the communication data 230 is divided into 
30 a data portion as a body of the content identified by 610 euid 
a header portion 611 indicating attribute (serial number, 
content of service and so on) of the content. Adapting to such 
a header portion of attribute, a correspondence table 222 for 
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determining a label 612 to be attached (in the shown embodiment, 
corresponding to a keyword "Project", a label of "SECRET 
R&D" is adapted) is looked up by the attaching means 231. 
612 is combined with 611 and 610 to be encrypted using the public 
key 230. 

[0061] The communication data and the label thus encrypted are 
separated by the extracting process 111. Basically, 
corresponding to the attaching process, reverse process is 
performed. Using the private key 234 , decrypting into a plain 
text is performed. In Fig. 5, judgment is made as to whether 
the encrypted communication data or not (501) . As a judgment 
method, for example, a method for making judgment by a tag as 
a set of an attribute and an attribute value as defined in 
RFC1847 (Security Multiparts for MIME: Multipart/Signed and 
Multipart/Encrypted) is performed. If judged, decrypting 
process is attempted using the private key 234 (503) . After 
decrypting (504) , the range of a header portion (612) including 
the label portion is judged (505) . After clipping (506) , 
adapting to the given format of the label (507) , inspection 
of each item (for exaii?>le, security level, category) is 
performed (508) . 

[0062] Next, with reference to Fig. 3, a system construction 
for encrypting and collecting history 323 recorded in the 
primary storage device 301 at step 122 of the coii5)uter 203 will 
be described. 

[0063] 351 denotes a contputer exclusive for aui auditor, 352 
denotes a CRT, 353 denotes a primary storage device for 
accumulating the histories . 

[0064] The coii5>uter 203 contains a program 311 for encrypting 
history 323 stored in programs 310 , 311 stored in the primary 
storage device 301, and a program 312 for transmitting the 
encrypted history. 

[0065] The coii?>uter 351 contains a program 361 for generating 
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a key and distributing the key to the computer 203, a server 
program 362 for collecting the histories in a hard disk 353 
and a program 363 for decrypting the collected history 324 and 
displaying on the CRT 352 . 321 and 322 are encryption keys 
5 generated by the program 361. 321 denotes a pxablic key for 
encrypting a history 323, and 322 denotes a private key for 
decrypting the history 324. Preliminarily or in preparation 
for use in the encryption program 311, the key 321 is fed to 
the computer 203 to be stored in the primary storage device 
10 301. 

[0066] In the shown embodiment, after encryption using the 
piiblic key for auditor, data is fed to a dedicated device for 
administrator from time to time for preventing dishonest 
alternation, electrical interception, wasting of disk in each 
1 5 computer . 

[0067] Next, with reference to Fig, 4, a system construction 
for extracting the label attached to the content at step 130 
of the computer 203 sund inquiring to the server 451. 
[0068] 451 denotes a computer exclusive for administrator, 452 
20 denotes a CRT, 453 denotes a primary storage device storing 
a correspondence table 460 between the label and security 
level . 

[0069] In the computer 203, a program 233 for decrypting a 
content 420 and a label 423 stored in a primary storage device 
25 401, a program 412 for inspecting the label of the content, 
and a program 413 for performing inquiry relating to the label 
and encrypting the information relating to the label as it is 
are contained . 

[0070] The computer 451 contains a program 464 generating the 
30 key and distributing the key to the computer 203, an encryption 
communication program 463 adapting to inquiry from the prograun 
413, a program 462 called from 463, comparing a correspondence 
table 460 of the encrypted label etnd the security level, auid 
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an alarming program further called from the program 462 and 
displaying a message of an occurrence of unauthorized security 
access and recording of operation history on CRT 452. On the 
other hand, a program 461 permitting the administrator to set 
5 the content of the correspondence tc±>le 460. 421 and 422 are 
encryption keys generated by the program 464 . 421 denotes the 
public key for encryption and 422 denotes a private key for 
decrypting the label . Preliminarily or in preparation for use 
in the encryption program 413 , the key 421 is fed to the computer 
10 203 and stored in the primary storage device 401. 

[0071] In the shown embodiment, meaning of security 
corresponding to the label may be modified by the administrator 
on the network depending upon the rule on the correspondence 
table 460. 

15 [0072] With reference to Figs. 7 audi 8, procedure of encrypted 
communication with the firewall 210 and the computer 203 . 
[0073] Fig. 7 shows processes of the encrypting progreaa 232 
in the firewall 210 cuid the decrypting program in the computer 
203 . The correspondence table 222 is provided in the firewall 

20 210 , and different encryption keys are used adapting to 
destination of the computer or user. Here, there is shown eu:i 
example to perform encryption in the level of packet of the 
network (even in encryption in an application layer, similar 
procedure may be performed using inf oirmation of user ID or the 

25 like in place of IP address or port number) . 

[0074] At first, security level of the network through which 
the content flows is judged by IP address of the sender (701) . 
When encryption is necessary, IP address of the recipient 
computer 203 is extracted from the packet (702) for encrypting 

30 using the public key 230 corresponding to the IP address of 
the recipient (705) . If the piablic key 230 is not present (703) , 
encryption is performed using the ptoblic key of the firewall 
210 (704) . The encrypted packet is fed to the computer 203 
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(705) . In the computer 203, when the circulated packet 
requires decrypting, decrypting is performed using the private 
key 234 corresponding to the public key 230 (712) . If 
decryption is not possible, judgment is made that the process 
5 at step 704 was performed (713) to feed the own pviblic key and 
the packet to the firewall for once decrypting the packet in 
the firewall, and re-encryption is performed with the public 
key 230 (714) . 

[0075] In the shown embodiment, in case of the computer not 
10 frequently performing communication with an external computer , 
response perf ormcuice and security can be satisfied by providing 
re-encryption process in the firewall. 

[0076] Conversely to Fig. 7 , a process of a decrypting program 
242 in the firewall 210 for controlling a flow of a packet from 
15 a network having a higher security to a network having a lower 
security, and an encryption program 243 of the computer 203 
will be discussed with reference to Fig. 8. 

[0077] The correspondence table 222 is provided in the 
firewall 210 and different decryption key is used adapting to 
20 a destination computer or user. Here, similarly to Fig. 7, 
there is shown an example to perform decrypting of the level 
of a packet in the network . 

[0078] In the computer 203, judgment is made that encryption 
is necessary upon feeding data to other computers (801) , 

25 encryption is performed by the public key adapted to the IP 
address of each computer (805) . When judgment is made that the 
sender is the computer 201 belonging to a network 202 having 
a lower security level (803) , encryption is performed with the 
piiblic key 230 of the firewall 210 . The encrypted 

30 communication data is treuisiaitted as a packet (806) . 

[0079] In the firewall 210, IP address of the sender conputer 
203 is extracted from the packet, and the security level of 
the network through which the communication data flows, is 
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judged based on the IP address of the sender (811) to perform 
decrypting using the private key 240 of the firewall (812) . 
If decryption is successful, the decrypted data is fed to the 
computer 201 in the network 202 having a lower security level 
5 from the firewall (815) . If decryption failed, passing the 
firewall is not periaitted (814) . 

[0080] In the shown embodiment, when data communication is 
performed to an external computer , decrypting into plain text 
is performed in the firewall to enable monitoring of taking 

10 out of security to outside. 

[0081] As set forth above, the embodiment for setting the 
encryption key using the IP address of the computer, has been 
discussed. Hereinafter, another embodiment for setting the 
encryption key, using the user ID in the application layer, 

15 will be discussed. 

[0082] Fig. 9 is a block diagram for explaining a system 
construction for managing the encryption key corresponding to 
the user ID using a portable type medium (for example, PCMCIA 
card 920) . The computer 203 is constructed with a hard disk, 

20 a memory, a main body 911 incorporating CPU, CRT 912, a digital 
Ceuaera 913, a card reader 914, and a keyboard (mouse) 915. The 
digital Ccuaera 913 and the card reader 914 are belonging to 
devices of the main body 911 . 

[0083] On CRT 912, operation screen image 930 (multi-window) 
25 is displayed. The operation screen image 930 for operation 
using the keyboard 915 and the mug-shot of a user picked-up 
by the digital camera 913 are recorded as history. 
[0084] In the card 920, a private key 923 and a public key 924 
of the user, a public key 925 corresponding to the private key 
30 940 of the firewall are incorporated. In the firewall, the 
pioblic key 230 as a copy of the public key 924 and the private 
key 240 of the firewall are provided. For using the portable 
medium 920, the card reader 914 is provided. Utilizing 
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unspecified conputers using progreuas 233 and 243 staying 

resident, convenience can be enhanced. 

[0085] 

[Effects of the Invention] By the present invention, problems 
5 in the prior art can be solved. 

[0086] (1) Contents out of contract are not permitted to 
circulate . 

[0087] Making reference to the label by each computer, it is 
made clear that copying or transferring to another system of 
10 content not attaching a proper label is not permissible to 
localize influence of dishonest circulation. 

[0088] (2) Notifying that operation screen image being 
recorded as history, copying without permission by a user can 
be restricted. 

15 [0089] Notification is given to a user that copy operation of 
the content on the computer being recorded is left as history 
and indicating penalty when copying without permission, 
violating activity can be restricted. 

[0090] On the other hand, by recording an operation screen 
20 image or a mug-shot as visual history, an auditor out of 
organization can make judgment of non-permitted activity 
objectively irrespective of contents of business. 
[0091] In the present invention, an auditor device exclusive 
for operation of an auditor as a third party, out of organization 
25 is provided on a network to transfer and accumulate operation 
history in each computer. 

[0092] At this time, using the public key of the auditor in 
each computer, operation history is encrypted. The auditor 
decrypts the accximulated operation history using the private 
30 key stringently managed separately only in response to audit 
demamd. As set forth, by encrypting the operation history by 
each con^uter euid transferring to the audit device, it becomes 
possible to prevent a user or an administrator other than the 
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auditor from making reference to, dishonest alternation or 
hiding of the operation history. 

[0093] In the present invention, a monitoring device dedicated 
for operation of an administrator in the organization is 
5 provided on a network to stake judgment necessity of recording 
of operation history on the basis of an auditor rule table 
corresponding to a label . 

[0094] For this reason, the administrator may control or 
mcuiage access or copying of the content in each computer 

10 according to rule in the organization (domain) . Maintenance 
operation associating with modification of rules only requires 
rewriting of the rule table. On the other hand, by setting of 
the audit rule table , it is not necessary to record all operation 
history for access or copying of all contents, and there is 

15 realized system operation adapting to prevention of waste of 
a storage medium (hard disk) accumulating the operation history 
and protection of privacy of the user. 

[0095] In the present invention, a dedicated firewall is 
provided on the network to perform process of generation and 

20 disposal corresponding to input/output of commoini cation data. 
In the computer belonging to the network having a higher 
security (for example, higher than or equal to B level of TCSEC, 
a function for reading the label of the communication data is 
provided (middle software or OS) . 

25 [0096] Therefore, the administrator may control access or 
copying of contents between domains having different security 
levels across the firewall according to the rule in the 
orgeuiization (domain) . 

[0097] Furthermore, in the dedicated firewall, labels are 
30 encrypted by the encryption key for limited people who make 
reference to the content. Furthermore, the decryption key 
which can decrypt the content is stored in the portable card 

(for exanqple Smart Card, PCMCIA card) distributed per user as 
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session key varying the content at every communication. The 
decrypted content is disposed at the stage where use is 
completed. 

[0098] Therefore, using the portable card, downloading 
5 (primary copy) of the content from the firewall to each computer 
is enabled whereas treuisf erring to another system or file 
storage under another name (secondary copy) is restricted. 

[Brief Description of the Drawings] 

[Fig. 1] A flowchart of a content audit method in a computer; 
10 [Fig. 2] A block diagram of a firewall of the present invention 

connecting domains having different security levels ; 

[Fig. 3] A block diagram of an audit device according to the 

present invention acciimulating history of operation screen 

image of a terminal; 
15 [Fig. 4] A block diagraun of a monitoring device according to 

the present invention making judgment of necessity of recording 

of operation screen image of the terminal; 

[Fig. 5] A flowchart showing a procedure for detecting a label 
in each computer; 
20 [Fig. 6] A block diagram showing arrangement of program 
generating and separating the label; 

[Fig. 7] A flowchart showing a procedure for decrypting 

communication data encrypted by the firewall in each computer; 

[Fig. 8] A flowchart showing procedure for inspecting the 
25 communication data encrypted in the computer whether 

decrypting is possible or not in the firewall; and 

[Fig. 9] A block diagreua showing a construction of a computer 

terminal of the present embodiment. 

[description of Reference Ntomerals] 
30 201, 203 ... Computer 

210 ... Firewall 

232, 231, 241, 242 ... Program staying resident in firewall 
310 ... History recording program 
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451 ... Administrator terminal 

351 ... Auditor terminal 

913 . . . Camera 

920 . . . Card 
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DRAWINGS 
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Fig. 2 
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204 HIGHER SECURITY LEVEL 



Fig. 3 
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10 362 ACCUMULATING MEANS 
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Fig. 4 
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Fig. 5 
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507 CONFIRM EACH ITEM OF HEADER 

508 EACH ITEM (LABEL) PRESENT? 
510 CANNOT DETECTED 

GOAL 

5 

Fig. 6 
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Fig. 7 
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25 705 ENCRYPTION USING PUBLIC KEY OF COMMUNICATION DESTINATION 

706 ENCRYPTED COMMUNICATION 
GOAL 

EACH COMPUTER 
START 

30 711 DECRYPTION NECESSARY? 

712 DECRYPT USING PRIVATE KEY 

713 DECRYPTED? 

714 TRANSMIT TO FIREWALL AND RE -ENCRYPTION 



- 26 - 



GOAL 



Fig. 8 
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Fig. 9 
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